Re: Searching events for a specific host, why are ...

umang_solanki · ‎07-23-2015

Hello,

In our Splunk Enterprise, we have created a customized indexer. We are trying to get certain events of a specific host, but as soon as we type index="Event_Logs" host=WindowServer in Search, we get the results of 2 hosts with the same host name.
1. WINDOWSERVER (UPPER_CASE)
2. windowserver (lower_case)

The count appearing in the Search results is different.

Any idea about this behavior?

Appreciate your help.

== Umang Solanki

woodcock · ‎07-24-2015

This is problem is primarily a windows problem in that it frequently will ALL-CAPS hostnames but sometimes leave it the way you configured it. You could modify the hostname in Windows to be ALL-CAPS OR you can override the host at index time OR deal with it at search time like this:

index="Event_Logs" host=WindowServer | eval host=upper(host)

Don't forget about the domain problem, too. Here is a good discussion on that and more details, too:

http://answers.splunk.com/answers/28879/host-value-for-windows.html

bmacias84 · ‎07-23-2015

what are the two source/sourcetypes. I am guessing one is scripted input.

Searching events for a specific host, why are we getting results for 2 hosts: one upper case hostname and one lower case?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!